That fact may be a key reason why WordPress is in the news right now as the subject of a large-scale attack from a huge number of computers from across the internet – known as an automated botnet attack – attempting to take over servers that run WordPress.
Some are saying that this current attack is the precursor of a botnet of infected computers vastly stronger and more destructive than those of today. That’s because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.
WordPress’ popularity comes at a price in a situation like this, as a perceived vulnerability in the platform’s ease of use is weak security by users.
That weak security typically means continuing to use the word ‘admin’ as a user name – this is the default administration account that’s created when you first install WordPress – along with a password that brute-force attempts to guess are likely to succeed, which is what’s happening with this attack.
If you’ve disabled the default ‘admin’ account in your WordPress installation – or, even better, you’ve deleted it – and have something else in its place as the main administrator of your WordPress dashboard, that will likely take you out of the immediate target area of the attackers.
And if you’ve set a strong password – at least eight characters and in a combination of upper- and lower-case letters along with numbers and extended characters – you’re in a good position to be passed by if or when a botnet comes calling at your WordPress front door.
Don’t be complacent, though – this attack serves as a great reminder that securing your WordPress blog or website so that no one can get into it unless they’re invited is something you do need to be sure about.
So what can you do to make your site secure enough right now to deter such attacks in the future?
First, make sure you have the latest WordPress version installed. As of today, that version is 3.5.1.
If you still have an administrative user called ‘admin,’ there are two steps to take:
- Create a new admin account with a different name and give it a strong password.
- Delete the ‘admin’ user account; during that procedure, you’ll be asked by WordPress which other account should you assign posts, pages, etc, created by ‘admin’ to. Choose the new admin account name you just created.
Next, enable two-step verification for each user in your WordPress account. The simplest such service for a WordPress user to install and implement is the open source Google Authenticator. If you have that enabled for your Google account, or other services such as Dropbox or Amazon S3, then you’ll be familiar with how it works.
Grab it now, either by downloading it from the WordPress plugin repository or installing it via the ‘add new plugin’ function in your WordPress dashboard.
You’ll need the free Google Authenticator app for your smartphone in order to use this security feature. There are versions for Android, Blackberry and iOS.
And if you then follow the excellent “How To Enable 2-Step Authentication On Your Self-Hosted WordPress.org Site” guide published last week by Techfleece, you’ll be up and running in no time with a WordPress site that will give you more peace of mind than you had before.
In my view, this is the bare minimum you should have set up in your self-hosted WordPress site that gives you a good level of security for your peace of mind. It would make it more difficult to hack into your site.
There’s a lot more you can do as well including steps to take to better secure the server on which your WordPress platform is installed. There’s a great tutorial on the WordPress Codex that can tell you more.
Don’t let spammers, hackers or botnets mess up your presence on the web. You can be secure.
This post was first published on the Official WebHostingBuzz Company Blog on April 16, 2013. Founded in 2002, WebHostingBuzz is a web hosting company based in Auburn, MA, USA and in the UK. It offers web hosting, reseller hosting, VPS hosting, and dedicated hosting services from data centres across the United States and in Europe. WebHostingBuzz is a sponsor of NevilleHobson.com.
If your WordPress site runs at WordPress.com – it’s hosted by that service, not on your own server – follow this guide to set up two-step authentication: Greater Security with Two Step Authentication.
- WordPress Sites Targeted by Mass Brute-force Botnet Attack – April 15 notification from the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT).
- Further Steps To Combat The World-Wide Brute Force Attempts Against WordPress – advice on server protection from the WebHostingBuzz tech support team on April 13.
- WordPress botnet attack: Improve your security – tips in plain English from small-business marketing expert Jim Connolly on April 13.